Smart card authentication is supported within the guidelines described here.
Multiple smart cards and multiple readers can be used on the same user device, but if pass-through authentication is in use, only one smart card must be inserted when the user starts a virtual desktop or application. When a smart card is used within an application (for example, for digital signing or encryption functions), there might be additional prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time. If users are prompted to insert a smart card when the smart card is already in the reader, they should select Cancel. If they are prompted for the PIN, they should enter the PIN again.
If you are using hosted applications running on Windows Server 2008 or 2008 R2 and with smart cards requiring the Microsoft Base Smart Card Cryptographic Service Provider, you might find that if a user runs a smart card transaction, all other users who use a smart card in the logon process are blocked. For further details and a hotfix for this issue, see http://support.microsoft.com/kb/949538.
Your organization might have specific security policies concerning the use of smart cards. These policies might, for example, state how smart cards are issued and how users should safeguard them. Some aspects of these policies might need to be reassessed in a XenApp or XenDesktop environment.
You can reset PINs using a card management system or vendor utility.
Smart card support also involves components available from Citrix partners. These are updated independently by the partners, and are not described in these documents. For more information, refer to the Citrix Ready program at http://www.citrix.com/ready/.
- Citrix recommends that you install and test the drivers on a physical computer before installing Citrix software.
- For virtual desktops running Windows 7 using smart cards that support and use the mini driver model, smart card mini drivers should download automatically, but you can obtain them from http://catalog.update.microsoft.com or from your vendor. Additionally, if PKCS#11 middleware is required, obtain it from the card vendor.
Remote PC Access with smart cards:
- Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7; smart cards are not supported for office PCs running Windows XP.
- The following smart cards were tested with Remote PC Access:
- Gemalto .NET v2+ with the Gemalto .NET mini driver
- NIST PIV cards with ActivIdentity ActivClient 6.2
- NIST PIV cards with Microsoft mini driver
- CAC cards with ActivIdentity ActivClient 6.2
- Virtual Smart Cards with Microsoft native driver
User devices must run Citrix Receiver. appropriate middleware, and one of the following operating systems: Windows 7 or Windows 8 (including Embedded Edition), 32-bit and 64-bit.
- Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) be used on computers running qualifying Windows operating systems. See Microsoft documentation for additional information about hardware PC/SC compliance.
- The following smart card and middleware combinations for Windows systems have been tested by Citrix as representative examples of their type. However, other smart cards and middleware can also be used. For more information about Citrix-compatible smart cards and middleware, see http://www.citrix.com/ready.
|ActivClient 7.0 (DoD mode enabled)
||DoD CAC card
|ActivClient 7.0 in PIV mode
||NIST PIV card
|Microsoft mini driver
||NIST PIV card
|GemAlto Mini Driver for .NET card
||GemAlto .NET v2+
Microsoft native driver
|Virtual Smart Cards (TPM)
Before deploying smart cards:
- Add the Citrix Receiver for Web URL to the Trusted Sites list for users who work with smart cards in Internet Explorer with Windows 10. In Windows 10, Internet Explorer does not run in protected mode by default for trusted sites.
- Ensure that your public key infrastructure (PKI) is configured appropriately. This includes ensuring that certificate-to-account mapping is correctly configured for Active Directory environment and that user certificate validation can be performed successfully.
- Configure components to use TLS 1.0 for smart card logon.
- Ensure your deployment meets the system requirements of the other Citrix components used with smart cards, including Receiver and StoreFront.
- Ensure access to the following servers in your Site:
- The Active Directory domain controller for the user account that is associated with a login certificate on the smart card
- Delivery Controller
- Citrix StoreFront
- Citrix NetScaler Gateway/Citrix Access Gateway 10.x
- Virtual Delivery Agent
- (Optional for remote access): Microsoft Exchange Server
- You should be familiar with smart card technology in general and the technology you selected in particular, and the SDK. You should also know how to install and maintain certificates in distributed environments.